summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Crank the major of libtls: the behaviour of tls_write() has beenreyk2015-07-191-1/+1
| | | | | | changed in an incompatible way regarding partial writes. OK miod@ deraadt@
* Free memory when finished.doug2015-07-191-2/+6
| | | | | | Fixes coverity 78835. ok bcook@
* Add documentation on how to use TLS_{READ,WRITE}_AGAIN.doug2015-07-191-2/+29
| | | | ok beck@
* Now that it is safe to invoke X509_STORE_CTX_cleanup() if X509_STORE_CTX_init()miod2015-07-194-16/+32
| | | | | fails, check its return value and correctly mop up after ourselves. ok beck@ doug@
* Only close descriptor if not already closed.doug2015-07-191-3/+5
| | | | | | Fixes coverity 78916. ok miod@ bcook@
* Free variable before potentially reusing.doug2015-07-191-1/+2
| | | | | | Fixes coverity 78824. ok bcook@ miod@
* Free passin on error.doug2015-07-191-4/+4
| | | | | | Fixes coverity 78826. ok miod@ bcook@
* Fix coverity 105339, by correctly checking return from strtollbeck2015-07-191-1/+1
| | | | ok miod@ bcook@
* Put explicit braces around assignment used in a conditional.miod2015-07-192-4/+4
| | | | ok bcook@ doug@
* Remove the logic responsible for outputting most AES-NI instructions asmiod2015-07-196-214/+0
| | | | | | | | | raw byte sequences. The toolchains have had some time to update and assemble the instructions correctly (except for p{ins,ext}rd which are not supported yet by as(1) under OpenBSD, but will be fixed shortly). Inspired by a discussion between tedu@ and John-Mark Gurney. Verified to still work on Mac OS X and average Linux distros by bcook@
* Replace `.byte 0x48,0x83,0xEC,0x08' with `sub \$8,%rsp' which is exactly themiod2015-07-192-4/+4
| | | | same four bytes, unobfuscated.
* Simplify X509_STORE_CTX_init and make it safe with stack variables.doug2015-07-192-116/+110
| | | | | | | The current version is not safe with stack variables because it may return prematurely with a partially constructed object on error. ok miod@ a while back
* Remove case that can never happen.doug2015-07-192-10/+2
| | | | | | | It's a little convoluted due to gotos, but at that point, pci is always NULL. Spotted by Coverity 21702. ok miod@ beck@ bcook@
* Fix Coverity 72742 - ret is overwritten immediately after this.beck2015-07-192-4/+2
| | | | ok doug@
* Remove effectively unused variable.doug2015-07-191-4/+1
| | | | | | Fixes Coverity issue 21693. ok beck@ bcook@
* Assign p to CBS_data since it is used later.doug2015-07-192-4/+6
| | | | | | The p initialization was hiding this bug but Coverity 126279 saw it. ok miod@ bcook@ beck@
* abort when ENGINE_remove fails, fix Coverity 21656bcook2015-07-192-10/+4
| | | | ok doug@, beck@
* Convert dtls1_get_message_header to CBS and change to int.doug2015-07-186-32/+74
| | | | | | | Changed return value from void to int. It should never return an error given that the input length is not checked yet. ok miod@
* rand_err doesn't exist anymore, coverity 78808beck2015-07-182-6/+6
| | | | ok doug@
* Coverity 21651beck2015-07-182-6/+14
| | | | ok doug@
* Convert dtls1_get_record to CBS.doug2015-07-182-42/+56
| | | | ok miod@, input + ok jsing@
* Remove repeated code in dtls1_get_record.doug2015-07-182-80/+32
| | | | | | | | The "if" is a bit ugly, but this does remove a lot of repetitive code. This will be converted to CBS later as well. ok miod@ jsing@ roughly ok with it after seeing the CBS version
* Set SSL_MODE_ENABLE_PARTIAL_WRITE and SSL_MODE_ACCEPT_MOVING_WRITE_BUFFERbluhm2015-07-181-1/+4
| | | | | | | in libtls. This gives tls_write() a similar short write semantics as write(2). So implementing daemons with libevent buffers will be easier and workarounds in syslogd and httpd can be removed. OK tedu@ beck@ reyk@
* Dead code, Coverity 78798beck2015-07-182-6/+2
| | | | ok bcook@ doug@
* simplify length checking in do_indefinite_convertbcook2015-07-181-11/+17
| | | | | Fixes Coverity 117506, 117507, 117508 ok doug@
* Coverity ID 78910 - Yet another stupid API designed to not show failures. do thebeck2015-07-182-12/+16
| | | | | | | | | | lease worst alternative and do nothing rather than dereference NULL, but having a function with fundamentally broken API to simply make a list of strings, sort them, and call a function with each string as an argument is really quite silly.... and of course it was exposed API that the ecosystem uses that we can't delete.. yet. ok miod@ doug@
* Remove SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER workaround.doug2015-07-1810-58/+26
| | | | | | This was a hack to work around problems on IE 6 with SSLv3. ok miod@ bcook@
* remove mysterious, decorative comment blockletsbcook2015-07-181-21/+21
|
* Explicitly mark ignored BN_* return vals in tests.bcook2015-07-181-6/+6
| | | | | The tests will fail all the same. Fixes Coverity 78811 21659 21658 21657. Discussed with beck@
* check sscanf conversion, fixes Coverity 21666bcook2015-07-181-2/+6
| | | | ok doug@, miod@, guenther@
* Check the return value of ASN1_STRING_set(), for it may fail to allocatemiod2015-07-184-12/+28
| | | | | memory. Coverity CID 24810, 24846. ok bcook@ doug@
* Remove support for the SSL_OP_TLS_D5_BUG compat hack from SSLeay.doug2015-07-186-28/+22
| | | | | | | | This is a 17 year old workaround from SSLeay 0.9.0b. It was for clients that send RSA client key exchange in TLS using SSLv3 format (no length prefix). ok jsing@
* Unbreak, add errno headerjeremy2015-07-181-1/+2
| | | | OK tedu@
* set errno in null cases, just in case.tedu2015-07-181-2/+3
|
* standards compliant error return (null). will make ruby happier, at least.tedu2015-07-181-5/+2
| | | | ok deraadt jeremy
* Fix leak found by coverity, issue 78897 - which also brough tobeck2015-07-186-50/+66
| | | | | | light that the child counting was broken in the original code. this is still fugly, but this preserves all the existing goo. ok doug@
* delete doubled words;schwarze2015-07-178-8/+8
| | | | patch from Theo Buehler <theo at math dot ethz dot ch>
* extenstion -> extensionmiod2015-07-172-2/+2
|
* fix leak, found by coverity, ID 78877beck2015-07-171-3/+3
| | | | ok miod@ jsing@
* Convert ssl_parse_serverhello_use_srtp_ext to CBS.doug2015-07-174-24/+34
| | | | ok miod@ jsing@
* Remove SSLv3 support from openssl(1) s_time.doug2015-07-171-13/+3
| | | | ok miod@ bcook@ beck@
* Remove SSLv3 support from openssl(1) s_server.doug2015-07-171-7/+2
| | | | ok miod@ bcook@ beck@
* Remove SSLv3 support from openssl(1) s_client.doug2015-07-171-4/+1
| | | | ok miod@ bcook@ beck@
* Remove support for SSLv3 from openssl(1) ciphers.doug2015-07-171-27/+5
| | | | ok miod@ bcook@
* Remove compat hack that disabled ECDHE-ECDSA on OS X.doug2015-07-1710-208/+26
| | | | | | | | | For a few old releases, ECDHE-ECDSA was broken on OS X. This option cannot differentiate between working and broken OS X so it disabled ECDHE-ECDSA support on all OS X >= 10.6. 10.8-10.8.3 were the faulty releases but these are no longer relevant. Tested on OS X 10.10 by jsing. ok jsing@
* Remove workaround for TLS padding bug from SSLeay days.doug2015-07-1713-79/+25
| | | | | | | | | OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years. Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5. ok jsing@
* Bump LIBRESSL_VERSION defines.bcook2015-07-162-6/+14
| | | | | | | Moving forward, software should expect that LIBRESSL_VERSION_TEXT and LIBRESSL_VERSION_NUMBER will increment for each LibreSSL-portable release. ok deraadt@, beck@
* Enforce V_ASN1_OCTET_STRING type before accessing the object as octet string;miod2015-07-162-4/+8
| | | | | from OpenSSL (RT #3683) ok doug@ jsing@
* fix coverity leak - ID 78921beck2015-07-161-3/+11
| | | | ok miod@, bcook@
* kill leak, found by coverity, ID 105348beck2015-07-161-2/+5
| | | | ok miod@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-31 23:58:13 +0000